[OPLINTECH] Group Policies

Chad Neeper cneeper at level9networks.com
Mon Jul 7 13:26:38 EDT 2014 

Oh boy. It sounds like you're in for a "treat". I don't envy your situation.

I've started using Windows 8 on my patron/staff computers myself. The
patron computers all authenticate to Active Directory and get their group
policies for the computers and the users from there. That's a lot easier to
manage then individual computers with local policies configured. In this
configuration, you can have a Patron user defined in AD, with a set of
policies that configure the patron user profile just the way you want it,
but you can also log in as an admin level user that doesn't have the same
restrictions that the patron user has. No need to temporarily
enable/disable various policy settings to do your workstation management,
plus you can tweak the patron policies centrally and have them apply all at
once to all patron profiles/computers.

The way I typically configure the patron computers is all via group
policies. From the patron's viewpoint, they walk up to a computer and see a
blank screen with a single message saying something like, "I agree to the
library's AUP and not do anything stupid or illegal, yada, yada." and an OK
button. At this point, the computer is NOT logged in locally to Windows OR
the domain. The patron can only click on the OK button, which then
automatically logs the computer into the domain as Patron user, but using a
temporary local non-roaming user profile with user policies defined and
pulled from AD.

The patron is free to do whatever he/she can do on the computer and
generally just walks away from the computer when done. The computer is
configured to *reboot* after 15 minutes of idle when logged in. Rebooting
between patron is default and encouraged because it causes Deep Freeze to
reset the computer back to a known safe state.

That's all done via Computer and User group policies tailored for the
patron computers. Further, with Windows 8 computers, I try to minimize use
of the Metro/Modern/Ugly user interface. When clicking on the "Start Menu",
it displays the full list of programs installed, rather than showing the
Tiles first. I configure Internet Explorer to use the normal desktop
version rather than the touch-screen version. Same for pdf viewer. As much
as I can, I use GP to try to limit being unexpectedly jarred back and forth
between the desktop and Modern/Metro UI. It seems to help quite a bit for
the patrons if they are kept in the desktop interface.

When it comes to administering the workstation, I leverage GP to do it
centrally. For local workstation needs, it's slightly inconvenient, but not
too bad:  Click on OK to accept the AUP and log in as Patron user. Then
disable Deep Freeze and reboot. Then click OK again to log in as Patron
user, then log out. On a log out, the option to log in as a different user
is available (as opposed to auto logging in as patron user). I usually then
log in as a local administrative user, but could also log in as an AD user
if I needed access to network files. When done admining the workstation,
re-enable Deep Freeze and reboot.

It's a pretty nice/tidy setup using pretty much nothing but GP. No scripts
or third party software required. The staff particularly like the library's
AUP (or references it rather) being right there every time a new patron
wants to use the computer. It's unavoidable.

When it comes to working with GP on a new OS (Windows 8 for instance), I
generally start by working with a very, very virgin Windows computer. I
then do NOTHING (as absolutely little as possible) but attach it to the
domain. I then will log it in as my Patron AD user and see what happens.
For every window that pops up, every feature that I see that I want to make
a change for, I find the GP that will do it for me. If I can't find a GP
for the feature I want to adjust or the window that pops up, I'll Google
for a registry key or some other solution that I can apply via GP. Usually
there is something that you can plug into GP to get the job done. I'll test
and incrementally build up a GP that can take a virgin computer/account and
have it completely configured the way I want it with almost NO adjustments
at all that have to be made manually.

A lot of how I develop the GP is basically, "It would be nice if I didn't
have to do X every time."  or  "It would be nice if it would do X for the
patron every time they use the computer."  or  "I don't want the patron to
be able to do X..."  etc. ...and then just find the policy or reg entry
that will make it so.

It's also very beneficial to have a virgin Windows test computer that's
either frozen with Deep Freeze or is virtualized (and frozen with DF or
whatever method provided with the hypervisor). This way you can use your
same virgin install over and over again to test each feature change you
make with GP. That's hugely beneficial.

HTH,
Chad



______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*


On Mon, Jul 7, 2014 at 12:14 PM, Tyson Horton <tyson at mywcpl.org> wrote:

> This goes out to anyone using Group Policies to lock down their computers.
> Our old IT guy has all of the public computers here locked down using Group
> Policy. Our new computers are all windows 8. Looking for your input, if you
> are using group policy, as to how you have yours set up. I’ve not done much
> with group policies, so any help would be appreciated. From what I can see,
> it’s a pain to go in and disable all of them to be able to make changes to
> the computer if necessary, unless I am missing something that makes it
> quicker to undo them? Steve left abruptly, so I was never shown what he did
> exactly. I’ve just been figuring it out on my own. If someone has a good
> list of things to Enable/Disable, that would be greatly appreciated! Or
> other means to keep users from making changes and/or getting into things
> they shouldn’t…
>
>
>
> Tyson Horton
>
> Systems Administrator
>
> Williams County Public Library
>
> 107 East High Street
>
> Bryan, OH 43506
>
> 419-636-6734 (voice)
>
> 419-630-0408 (fax)
>
> www.mywcpl.org
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20140707/3774cab0/attachment-0001.html>

More information about the OPLINTECH mailing list